Security concepts shouldn’t be ‘a patch implemented after the fact’

10 Jun 2022

Jose Costa. Image: Tugboat Logic by One Trust

Jose Costa of Tugboat Logic by OneTrust warns that having security as an afterthought is like sending cars onto a new bridge to test its integrity.

Jose Costa is the CISO at Tugboat Logic, a technology platform that was acquired by One Trust in 2021. Costa took up the role in 2019, having worked at PwC Canada for more than a decade.

He told that the role can be both exciting and stressful at times due to ever-shifting priorities as a company grows.

“CISOs are responsible for enabling the business to continue expanding and adopting technology as fast as possible without incurring too much risk,” he said.

“It’s never about blocking initiatives or tech strategies, but about informing the rest of the management team about potential risks and working with them to develop pragmatic mitigation strategies that are not too costly or slow to implement.”

‘How will you maintain your trust in the market if you do business with shady customers?’

What are some of the biggest challenges you’re facing in the current IT landscape?

From finding the right talent and ensuring that you retain it to new security risks, cybercrime, incident response and changing regulatory requirements, there’s no shortage of challenges in the current IT landscape.

If I had to pick one, I would say it is around managing security in your supply chain. That of course requires establishing a robust vendor risk management process.

Still, it’s also about managing those vendors through their lifecycle and empowering the rest of the team to actively mitigate security risks by giving them the right tools and support. Half the battle is ensuring employees in your organisation understand that security is everyone’s responsibility and everyone is accountable.

How are you addressing digital transformation?

Our organisation is disrupting the governance, risk management and compliance (GRC), environmental, social and governance (ESG), privacy and security compliance markets and I would say that we’re driving a significant domain transformation.

We’re disrupting the market of legacy GRC products that typically focus only on big enterprises and are expensive, clunky and extremely difficult to implement. Those legacy products are not meeting the needs of most organisations that require a solution to efficiently manage their compliance programmes and establish trust with their customers, vendors and stakeholders. We’re filling that gap with automation, ease of use, guidance and technology to make it accessible.

Internally, we are transforming some of our processes to continue growing sustainably without losing our agility and to dominate the new market category we are defining. We are achieving this by enabling our employees with digital skills and implementing technology that they can use to make data-driven decisions very quickly.

We are also pushing and embracing our customer and people-first culture. If we have learned something from these pandemic years, it’s that the ability to adapt quickly to dramatic changes is critical to any organisation’s success. We see digital transformation as a journey, and if we do this right I don’t think we will ever finish transforming.

How can sustainability be addressed from an IT perspective?

I think there is a lot that IT can do not only for sustainability, but for other ESG initiatives. First, you should start small, define your values, align them with your organisation and stand up to them.

That’s how you will start making an impact, and you will see these values trickling down your organisation. You will earn your team’s and customers’ trust with transparency and being genuine.

Sustainability is not a check-box exercise – if you don’t believe in the initiatives, your employees and stakeholders won’t either. These are things that people care about and will help you retain employees and customers if you do them right.

After you have a good idea of your values and what you want to implement, start ensuring that your vendors adhere to them. When deciding who we use as a vendor, we have a choice, and we need to start asking some hard questions.

I believe we can also transfer the same thought to our customers. This can be a more complex decision, but we also have a choice deciding who to sell our services or products to. How will you maintain your trust in the market if you do business with shady customers or engage with vendors that don’t align with your values?

What big tech trends do you believe are changing the world?

The intersection of ethics and technology is pretty fascinating. We’re at a point where we can achieve great things with connectivity between applications and data sharing in general. The vast array of innovations that can be achieved by combining data from different sources, interpreting it and presenting it in different ways can be really impactful and valuable.

Tying data from multiple sources in real time could allow you to make decisions about your business on the fly and become truly agile. This can get scary very quickly if we don’t protect data subjects and regulate the use of that data to make sure it is not used in unintended ways that could harm individuals or cross lines into personal freedoms.

Transparency and establishing trust will be crucial and security professionals will have an essential role in this.

How can we address the security challenges currently facing your industry?

This may not be very popular, but I believe that we could use some regulatory and legislative change that is agile and can adapt quickly to technology changes.

Setting up some basic expectations around businesses’ security posture may seem like a costly initiative at the moment, but should we wait until something goes wrong? Should someone lose a lot of money or get hurt to start thinking about implementing basic security expectations to run a business? No – it should be proactive.

After all, nearly every industry depends heavily on technology and the potential consequences could be disastrous if something went wrong.

The concept of security can’t be an afterthought. Trust is not something that you build on top of your existing processes, but something you need to implement by design – and trust by design is not a buzzword. For example, nobody would build a bridge first and then send traffic across to test its structural integrity.

Safety is embedded in the process of building a bridge because structural engineering has been around for a long time. Computer engineering is a very young science, but we need to start thinking about embedding security concepts as we build and transform our businesses and not as a patch implemented after the fact.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.